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Quantum cryptography has attracted much recent attention due to its potential for providing 
secret communications that cannot be decrypted by any amount of computational effort. This is the 
first analysis of the secrecy of a practical implementation of the BB84 protocol that simultaneously 
takes into account and presents the full set of complete analytical expressions for effects due to the 
presence of pulses containing multiple photons in the attenuated output of the laser, the finite length 
of individual blocks of key material, losses due to error correction, privacy amplification, continuous 
authentication, errors in polarization detection, the efficiency of the detectors, and attenuation 
processes in the transmission medium. The analysis addresses eavesdropping attacks on individual 
photons rather than collective attacks in general. Of particular importance is the first derivation of 
the necessary and sufficient amount of privacy amplification compression to ensure secrecy against 
the loss of key material which occurs when an eavesdropper makes optimized individual attacks 
on pulses containing multiple photons. It is shown that only a fraction of the information in the 
multiple photon pulses is actually lost to the eavesdropper. 



The use of quantum cryptographic protocols to gen- 
erate key material for use in the encryption of classi- 
cally transmitted messages has been the subject of in- 
tense research activity. The first such protocol, known 
as BB84 jlj], can be realized by encoding the quantum 
bits representing the raw crytpographic key as polariza- 
tion states of individual photons. The protocol results in 
the generation of a shorter string of key material for use 
by two individuals, conventionally designated Alice and 
Bob, who wish to communicate using encrypted messages 
which cannot be deciphered by a third party, conven- 
tionally called Eve. The unconditional secrecy of BB84 
has been proved under idealized conditions, namely, on 
the assumption of pure single-photon sources and in the 
absence of various losses introduced by the equipment 
which generates and detects the photons or by the quan- 
tum channel itself ^]. The conditions under which se- 
crecy can be maintained under more realistic circum- 
stances have been studied extensively This is the 
first analysis of the secrecy of a practical implementa- 
tion of the BB84 protocol that simultaneously takes into 
account and presents the full set of complete analytical 
expressions for effects due to the presence of pulses con- 
taining multiple photons in the attenuated output of the 
laser, the finite length of individual blocks of key mate- 
rial, losses due to error correction, privacy amplification, 
continuous authentication, errors in polarization detec- 
tion, the efficiency of the detectors, and attenuation pro- 
cesses in the transmission medium H. We consider in 
this paper attacks made on individual photons, as op- 
posed to collective attacks on the full quantum state of 
the photon pulses. The extension to other protocols, such 
as B92 f| is straightforward, but is not discussed here 
due to limitations of space. 

The protocol begins when Alice selects a random string 
of to bits from which Bob and she will distill a shorter 
key of L bits which they both share and about which 



Eve has exponentially small information. We define the 
secrecy capacity S as the ratio of the length of the final 
key to the length of the original string: 
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This quantity is useful for two reasons. First, it can be 
used in proving the secrecy of specific practical quantum 
cryptographic protocols by establishing that 
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holds for the protocol. Second, it can be used to establish 
the rate of generation of key material according to 
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where r is the pulse period of the initial sequence of pho- 
ton transmissions. Several scenarios in which useful key 
generation rates can be obtained are described in 0. 
The length of the final key is given by 
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The first term, n is the length of the sifted string. This 
is the string that remains after Alice has sent her qubits 
to Bob, and Bob has informed Alice of which qubits were 
received and in what measurement basis, and Alice has 
indicated to Bob which basis choices correspond to her 
own. We consider here the important special case where 
the number of photons in the pulses sent by Alice follow a 
Poisson distribution with parameter (i. This is an appro- 
priate description when the source is a pulsed laser that 
has been attenuated to produce weak coherent pulses. In 
this case, the length of the sifted string may be expressed 
as fl 
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where 77 is the efficiency of Bob's detector, a is the trans- 
mission probability in the quantum channel, and r d is the 
probability of obtaining a dark count in Bob's detector 
during a single pulse period. -0>fc (X) is the probability 
of encountering k or more photons in a pulse selected at 
random from a stream of Poisson pulses having a mean 
of X photons per pulse: 



l=k 



l=k 
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Other types of photon sources may be treated by appro- 
priate modifications of equations and [| A compre- 
hensive treatment of this subject, including an extensive 
analysis of factors contributing to a, is found in 0. 

The next terms represent information that is either in 
error, or that may potentially be leaked to Eve during 
the rest of the protocol. This information is removed 
from the sifted string by the algorithm used for privacy 
amplification, and so the corresponding number of bits 
must be subtracted from the length of the sifted string 
to obtain the size of the final key that results. 

The first such term, ex, represents the errors in the 
sifted string. This may be expressed in terms of the pa- 
rameters already defined and the intrinsic channel error 
probability r c : 
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where the intrinsic channel errors are due to relative mis- 
alignment of Alice's and Bob's polarization axes and, in 
the case of fiber optics, the dispersion characteristics of 
the transmission medium. These errors are removed by 
an error correction protocol which results in an additional 
q bits of information about the key being transmitted 
over the classical channel. We express this as 



q = Q [x, — ) e T 
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where h(j>) is the binary entropy function for a bit whose 
a priori probability of being 1 is p. The factor x is intro- 
duced as a measure of the ratio by which a particular er- 
ror correction protocol exceeds the theoretical minimum 
amount of leakage given by Shannon entropy Q : 
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The next term, t, is an upper bound for the amount of 
information Eve can obtain by direct measurement of the 
polarizations of single photon pulses. This upper bound 
may be expressed as 



t = Tex 
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where T is given by 0,0,13 
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with 
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and £ is defined by 
£(ni,e) = 
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In the above equation e is a security parameter that 
gives the likelihood for a successful eavesdropping attack 
against a single-photon pulse in the stream. 

Finally, we have used 
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which are the contributions to n and ex from the sub- 
set of Alice's pulses for which exactly one photon reaches 
Bob. 

The next term, v, is the information leaked to Eve by 
making attacks on pulses containing more than one pho- 
ton. There are a variety of possible attacks, including co- 
herent attacks that operate collectively on all the photons 
in the pulse. We restrict our attention to disjoint attacks 
that single out each individual photon. Even with this 
restriction, there are a large number of alternatives. Eve 
can perform a direct attack by making direct measure- 
ments of the polarization of some subset of the photons 
and allowing the rest to continue undisturbed. She can 
also perform an indirect attack by storing some of the 
photons until she learns Alice and Bob's basis choices 
by eavesdropping on their classical channel. She then 
measures the stored photons in the correct basis to un- 
ambiguously determine the value of the bit. Finally, she 
can make a combined attack by using the two strategies 
in some combination. In [Q] it is shown that the optimum 
attack is always either a direct or an indirect attack, de- 
pending on the value of a parameter y, which depends 
on channel and detector characteristics and the techno- 
logical capabilities attributed to Eve . For the case of 
a fiber optic channel, it is possible in principle for Eve to 
replace the cable with a lossless medium, so that those 
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pulses whose polarizations she can measure are guaran- 
teed to reach Bob. In this case we take y = r\. For the 
free space case, such an attack may not be feasible, but 
she can achieve a similar effect by using entanglement. In 
this version of the indirect attack, Eve and an accomplice 
located near Bob prepare pairs of entangled photons in 
advance. Eve then entangles one of these pairs with a 
photon emitted by Alice. Her accomplice can now make 
measurements on the entangled state, gaining informa- 
tion about the photons at Eve's location without losing 
photons to the attenuation in the channel. If we allow 
for such attacks, we still have y = r). If we do not at- 
tribute this level of technology to Eve, it is appropriate 
to take y = rja. Note also that Eve can perform direct 
attacks using classical optical equipment, but that the 
indirect attacks require the type of apparatus envisaged 
for quantum computers. 

There are three regions of interest. If y > 1 — 
(i.e., y <; 0.293^ , the indirect attack is stronger, 
and the maximum information that Eve can obtain is 



-0>2 (fi) - (1 - y)' 
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If y < 1 — 37= [i.e., y ^ 0.206J , the direct attack is 
stronger, and Eve's information is 
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Finally, if y lies between these two regions, the relative 
strength of the attacks depends on the number of photons 
in the pulse. The information leaked to Eve is 
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where we have introduced the function: 
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For a photon pulse with 2k photons, <r e (k,y) is greater 
than 1 if the indirect attack is stronger and less than 1 
if the direct attack is stronger. For odd numbers of pho- 
tons, the direct attack is always stronger in this region 
§• 

The significance of these results for Eve is evident. If 
the key distribution system is operating in the region of 
large y, her optimal attack is always the indirect attack. 
If the system operates in the region of small y, the direct 
attack is optimal. If the system operates in the middle 
region, Eve optimizes her attack by measuring nondc- 
structively the number of photons in the incoming pulses 
and then selecting the attack for each pulse according to 
the number of photons it contains. 

The expressions for v represent upper bounds on the 
information that is leaked to Eve by attacks on the indi- 
vidual photons of multi-photon pulses. In Q] it is shown 
that Eve can always choose an eavesdropping strategy 
to achieve this upper bound as long as Bob does not 
counterattack by monitoring the statistics of multiple de- 
tection events that occur at his device. Even with this 
proviso, the upper bounds are only a fraction of the in- 
formation contained in the multi-photon pulses. This 
indicates that the assumption, common in the literature, 
that Alice and Bob must surrender all of this information 
to Eve is overly restrictive. 

The next two terms are grouped together at the end of 
the expression because their effect on S vanishes in the 
limit of large m. The first of these, a, is the continuous 
authentication cost. This is the number of secret bits 
that are sacrificed as part of the authentication protocol 
to ensure that the classical transmissions for sifting and 
error correction do occur between Alice and Bob without 
any "man-in-the-middle" spoofing by Eve. For the au- 
thentication protocols described in Q , the authentication 
cost is 

a(n,m) = ^g auth + log 2 log 2 2n(l + log 2 m) j 
• log 2 2n (1 + log 2 m) 
+4 

{Jauth + log 2 log 2 (2n) log 2 (2n) 
+4 {gsc + log 2 log 2 n) log 2 n 
+4 (g aut h + log 2 log 2 g E c) log 2 gsc 

+9EC 

+4 (g au th + log 2 log 2 g E c) k>g 2 <?ec ■ (20) 



The security parameters g a uth,9ECi and gEC are ad- 
justed to limit the probability that some phase of the 
authentication fails to produce the desired result. For in- 
stance the probability that Eve can successfully replace 
Alice's transmissions to Bob with her own transmissions 
is bounded by 2~ 9auth . The probability that Alice's and 
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Bob's copies of the key do not match after completion of 
the protocol is bounded by 2~ 9EC + 2~sec _ 

The last term, g pa , is a security parameter that char- 
acterizes the effectiveness of privacy amplification. It is 
the number of bits that must be sacrificed to limit the av- 
erage amount of information, (I), about Alice and Bob's 
shared key that Eve can obtain to an exponentially small 
number of bits [Ol : 
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The fundamental expression for the secrecy capacity 
may now be written in the limit of small dark count, 
r d « 1: 



1 ~ 2 ' 



where we have defined 



and 



f = 1+Q+T , 
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so that the rescaled quantity v is independent of m. 

Note that the pulse intensity parameter \x can be cho- 
sen to maximize the secrecy capacity S and thus also 
the key generation rate 7Z. A detailed investigation of 
the optimum pulse intensity under various conditions of 
practical interest and the resulting secrecy capacities and 
rates may be found in |Q. 

We have presented results for the secrecy capacity of a 
practical quantum key distribution scheme using attenu- 
ated laser pulses to carry the quantum information and 
encoding the raw key material using photon polarizations 
according to the BB84 protocol. This is the first anal- 
ysis of the secrecy of a practical implementation of the 
BB84 protocol that simultaneously takes into account 
and presents the full set of complete analytical expres- 
sions for effects due to the presence of pulses containing 
multiple photons in the attenuated output of the laser, 
the finite length of individual blocks of key material, 
losses due to error correction, privacy amplification, con- 
tinuous authentication, errors in polarization detection, 
the efficiency of the detectors, and attenuation processes 
in the transmission medium for the implemantation of 
BB84 described in 0. The tr ansmission medium may be 
cither free space or fiber optic cable. The results apply 
when eavesdropping is restricted to attacks on individ- 
ual photons. The extension of these results to include 
collective attacks on multiple photon states in full gener- 
ality is the subject of continuing research. Of particular 



importance are the findings that only a portion of the 
information in the multi-photon pulses need be lost to 
Eve and the identification of those regions of operation 
for which Eve's attack is optimized by choosing direct 
attacks, indirect attacks, or selecting the attack in real 
time based on the number of photons in the pulse. The 
assumption, common in the literature, that Alice and 
Bob must surrender all of this information to Eve is 
overly conservative. A companion paper, [jl3|, compares 
quantitatively the results described here for attenuated 
laser sources with what it is achievable using ideal single- 
photon sources. 

APPENDIX: NOTE ON THE SECRECY CA- 
PACITY FOR KEYS OF FINITE LENGTH 

Most of the terms appearing in eq.(|]) for the length 
of the secret key, L, are directly proportional to the 
length of the block of raw key material, m. After di- 
viding through by m (c/ eq.(|l])), the contributions of 
these terms to the secrecy capacity S are independent 
of m. Three of the terms in L are not proportional to m, 
namely g pai a, and t. They result in contributions to the 
effective secrecy capacity that retain explicit dependence 
on m. 

The third contribution, t, requires additional explana- 
tion. Its m dependence arises from a precise application 
of the privacy amplification result, eq.(^l|), derived by 
Bennett et al. in [jl2). The bound on Eve's knowledge of 
the final key is obtained by assuming she has obtained 
a specific amount of Renyi information prior to privacy 
amplification. Starting from this point, Slutsky et al. JlCj ] 
explicitly introduce a security parameter e (see eq.(|13|)) 
to bound the probability that Eve has obtained more 
than t bits of Renyi information as a result of her attacks 
on single photon pulses. 

By contrast, the analysis of || introduces no parame- 
ter analogous to e. Furthermore, the expression for the 
amount of privacy amplification compression given in 0] 
is linear in the blocksize, thus resulting in a contribution 
to the secrecy capacity that is independent of the block- 
size. While this approach, as developed in does yield 
a bound on Eve's information about the key shared by 
Alice and Bob after privacy amplification, explicit results 
pertaining to the amount of information Eve obtains on 
the key prior to privacy amplification are not presented. 
Such results have important practical consequences. For 
example, Eve's likelihood of obtaining more than a given 
fraction of the raw key from her attacks on single pho- 
tons increases as the block size of the key material is re- 
duced. One therefore expects that the amount of privacy 
amplification compression required to ensure secrecy will 
increase as well. However, since this conclusion is strictly 
a consequence of the information Eve obtains prior to pri- 
vacy amplification, it cannot be inferred from the analysis 
of |J. In contrast, the approach of fL0| |, which we adopt 
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in our analysis, relates the privacy amplification compres- 
sion directly to the amount of information leaked to Eve 
prior to privacy amplification. This makes it possible 
to analyze the effect of the block size on the amount of 
privacy amplification compression, and concomitantly in- 
troduces an explicit security parameter, e, as a bound on 
Eve's chances of mounting a successful attack on strings 
of finite length. 
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